Security

The 'one tiny slip' that put LulzSec chief Sabu in the FBI's pocket

Well, at least this'll make a half decent movie

Analysis The man named by the FBI as infamous hacktivist Sabu was undone by an embarrassing security blunder, it is claimed.

The alleged LulzSec kingpin eventually copped to a battery of hacking charges last August and was reported to have been "co-operating" with the FBI in the months leading up to yesterday's arrests.

Agents locked onto Hector Xavier Monsegur, an unemployed 28-year-old from New York – allegedly LulzSec hacktivist supremo Sabu – after he apparently made the mistake of logging into an IRC chat server without using an anonymisation service such as a secure proxy or Tor1.

According to Fox News: "Sabu had always been cautious, hiding his Internet protocol address through proxy servers. But then just once he slipped. He logged into an Internet relay chatroom from his own IP address without masking it. All it took was once. The feds had a fix on him."

Editor's note: Monsegur claims he always connected through hacked boxes and did not leak his home IP address on IRC. Rather, the FBI unmasked him after he was dox'ed on Efnet IRC years prior and agents eventually obtained a copy of those personal details, we're told.

It's unclear precisely when investigators identified Monsegur as a prime suspect in the case. However by early June last year, separate digital sleuthing by various parties – most notably @backtracesec and purported ex-military anti-WikiLeaks hacker The Jester (@th3j35t3r) – led to the public fingering of Monsegur as Sabu.

Monsegur was not the only person named as Sabu2. The Jester previously named (he later apologised for his error) an innocent Portuguese web designer as a suspect, for example. Pastebin has been full of various documents giving multiple "identities" and background details for supposed members of LulzSec and Anonymous for months.

However the fact that Monsegur was named at all caused investigators to fear he would destroy evidence if they failed to act quickly. The Puerto Rican immigrant's flat was raided on 7 June last year.

We're told agents had already obtained a warrant to pull Monsegur's Facebook file, and said they found evidence that the suspect had traded credit card numbers with other hackers. This was enough to execute a warrant to seize equipment and arrest Monsegur.

Investigators reportedly coerced the unemployed dad into cooperating by threatening him with two years in prison away from his children on the easy-to-prove ID theft charges alone if he failed to turn informant on the rest of the LulzSec crew. The feds also persuaded him to turn over the encryption keys on his battered laptop, allowing them to obtain evidence of Monsegur's "hacking activities".

“It was because of his kids,” an FBI source told Fox News. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”

Monsegur was bailed on the identity theft charges and returned home after agreeing to act as an informant against his erstwhile hacktivist colleagues, officials told Fox News. Neither his family nor his "brothers" in Anonymous and LulzSec were left any the wiser that he was then working as a co-operating witness, his "handlers" said.

Sabu's anti-capitalist rants and brazen boasts continued after Monsegur's changed status, they said. But a minority – most notably a hacktivist using the handle Virus – suspected he might have been acting as a federal informant around this time.

Virus was suspicious when Sabu disappeared offline for about a week and by his later alleged inducement to hack into Backtrace Security (an outfit tracing members of LulzSec) for money – an offer Virus declined. Virus confronted Sabu with his suspicions that he might be a snitch in a heated exchange, recorded on PasteBin here.

Just a normal New Yorker

These suspicions were isolated and the vast remainder of LulzSec and legions of members of hacktivist collective Anonymous continued to follow Sabu's lead.

What they didn't know was that for the last eight months or so, and certainly from the time in mid-August when Monsegur secretly pleaded guilty to a slew of hacking offences, was that the feds had been monitoring exchanges and gathering evidence against them as well as passing on information that was used to minimise the damage caused by some of the planned operations. From mid-August onwards, sources told Fox News, Monsegur allegedly worked almost out of the FBI's New York City offices almost every day.

Later his handlers allowed him to work using a laptop provided by the FBI while under close 24-hour monitoring and supervision.1

Monsegur was watched by his federal handlers while maintaining the same habits and online presence, spending between eight and 16 hours a day at his computer and often working through the night. His FBI handlers orchestrated an elaborate disinformation campaign, using the AnonymousSabu Twitter account and interviews with journalists to spread disinformation.

Ironically, the man alleged to be the frontman and chief rabble-rouser for #FuckFBIFridays – a weekly event in the Anonymous calendar – had been cheering on attacks against law enforcement systems from behind an FBI desk, while at the same time working to minimise any damage, the G-men said.

Monsegur reportedly worked with his handlers to mitigate the damage caused by the hack on 70 law enforcement websites in July 2011, minimising the amount of information that came out a month later. The suspect worked with the FBI to inform 300 government, financial and corporate entities in the US and elsewhere of problems of their systems that had come to the attention of hackers, his handlers said.

He also apparently fact-checked boastful claims frequently made by hacktivists who, as before, continued to come to Sabu with plans for operations, the FBI said.

On one occasion, at the behest of his FBI handlers, Monsegur successfully ordered the end of a DDoS attack against the CIA. “You’re knocking over a bee’s nest,” he warned his associates. “Stop.”

He then allegedly helped the FBI track down and gather evidence against his hacking associates, information that only became public with the unsealing of his indictment [PDF] and the arrest of suspected hacktivists in the US, Ireland and the UK on Tuesday.

Monsegur adapted to his new status to the point that he reportedly attempted to pass himself off as a federal agent when he was collared by New York city cops last month, Gawker reports.

Sponsored: Fast data protection ROI?